![]() ![]() Instead we could return something to indicate that further authentication is required. There are a number of ways this could be done, but I'm wondering if maybe not returning the user on successful login with 2fa enabled would be the easiest. Since we have ACLs, this, in a nutshell, means we need to treat them like they're anonymous and subjected to the restrictions of public read/write. If validation succeeds clear the block and allow the user normal access with their session token.Īs for blocking requests when pending 2fa, the primary concern is in making sure that until the user can authenticate themselves they should not be granted access as themselves.The session upon login, but pending 2fa, would have to be available to the user, but locked to any further action. Upon login, if twoFactorEnabled is true request that the user proceed to submit their second factor code, again this could go separately to something like verifyTwoFactor, maybe taking the username and code.Could be spread out further or consolidated into one endpoint though. add some routes to UsersRouter.js like enableTwoFactor to get a QRCode/token, disableTwoFactor to remove it and verifyTwoFactor to actually run the check.twoFactorSecret for this user (if the above is set), could screen this field away from querying since it's a bit sensitive.optional twoFactorEnabled on _User to track whether or not this is even an option.Default adapter for 2FA, allowing other services to be added if they pop up. ![]() If I were to just brainstorm off the top of my head this is what comes to mind. Just bumping this, I think this would be □ % awesome to put this in. I am not familiar enough with how Parse Server handles logins to know if the beforeLogin trigger is feasible, or if some other 2FA system would be easier to implement. For example, if a user can login with Google, the user can ONLY login with Google, and not username/password. This would also allow for IP whitelisting for certain users (reject login attempts from non-listed IPs) or any variety of custom authentication methods.Īnother may be to have per-user control over the authentication method. A routine in this trigger could check the second factor (stored with the user object) and reject the Login if it does not match or is not provided. One solution I see is to add a beforeLogin trigger in Cloud code. I also don't know if this solution would generalize to others' use cases. Checking triggers in Cloud Code for the particular users could be a workaround, but again, the user would be checked at the point of accessing data, not logging in. However, I don't want to require Google login for everyone, which means native username/password login is still available. ![]() Further, I believe the second factor would need to be stored apart from the User object itself, since once logged in, the user can access its own suggested using a 3rd party Auth adapter, for example Google, which could potentially work in my case since I only care about the extra security for certain users. ![]() It is also difficult to rate-limit, since the malicious user would be able to log in and only be blocked at the point of accessing data. I then thought about storing a second factor, or possibly an IP whitelist, and rejecting any requests in beforeSave, beforeDelete, or beforeFind Cloud Code where the client did not provide the second factor, but that seems clunky. I initially started implementing this in my client-side code (PHP) for my Administrator users using Goole Authenticator, but then I realized anyone with the AppID and the Admin password can simply write their own code to get around it. Any particular user to have 2FA enabled/disabled optionally.Device memory (with periodic expiration) so users don't necessarily need to enter the second factor all the time.2FA using one or more methods (Google authenticator, SMS, email).I see no straightforward way to implement two-factor authentication (2FA) in Parse Server. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |